Safe and Secure
User accounts
The most obvious is the most neglected. Why? It is so comfortable to work as Administrator. No trouble with permissions. Running Internet Explorer as Administrator is asking for trouble. Create normal user accounts for you and your family members. Just do it.
UAC - The Shield
The Windows 7 UAC by default is too much present my view. It is one of the measures to keep your system safe. It permits changes to the secure part of your system only if you have the elevated Admin Token. To get that you need admin permissions and you need to click OK when prompted. But viruses, spybots and malware can still easily nest in the areas where users can write too.
UAC or User Account Control is a part of a couple of security features that Windows uses (Windows Security System):
programs and drivers that are digitally signed with certificates (in windows 7 explorer.exe isn't even signed, why?)
programs that run from trusted locations, like c:\windows\system32 and c:\program files
Programs can have 4 levels of security: Low, Medium, High, System (Need Admin Token) -> UAC
There are three situations with users and UAC:
you are the real Administrator (UID 500) is elevated, no UAC prompt
you have admin rights, member of the local administrator group, only UAC prompt for elevation
you are normal user, asks for a admin account and UAC prompt if not the Administrator account (UID 500)
Programs with System Integrity permissions needs must run elevated. Even users that already have admin rights. (except the user Administrator).
Elevated permissions make it possible to write to the registry in HKLM or HKCR, write to C:\Program Files or C:\Windows etc.
Luckily you can get UAC to act a little more user friendly and keep the security. It now kicks in when actual changes will be made to the secure parts of your system. Use gpedit.msc or the registry. More info here.
A great documentary about what virusses and worms can do with systems connected to the internet for business purposes (for making money that is)
In the registry enter or change the keys and values as below in orange.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
;### Elevate, no prompt for admin
;"PromptOnSecureDesktop"=dword:00000001
;"ConsentPromptBehaviorUser"=dword:00000003
;"ConsentPromptBehaviorAdmin"=dword:00000000
;"EnableLUA""=dword:00000001
;### Elevate, both user and admin prompt (default)
;"PromptOnSecureDesktop"=dword:00000001
;"ConsentPromptBehaviorUser"=dword:00000003
;"ConsentPromptBehaviorAdmin"=dword:00000005
;"EnableLUA""=dword:00000001
;### Elevate, but only for changes to the computer secure parts
"PromptOnSecureDesktop"=dword:00000000
"ConsentPromptBehaviorUser"=dword:00000003
"ConsentPromptBehaviorAdmin"=dword:00000005
"EnableLUA""=dword:00000001
;### Also UAC Prompt for user Adminitrator (UID 500)
;"FilterAdministratorToken"=dword:00000001
;### Don't ask user for admin credentials if necessary, always fail
;"ConsentPromptBehaviorUser"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI]
"EnableSecureCredentialPrompting"=dword:00000001
;### asks for credentials with an extra CRTL+ALT+DEL , dunno why that it useful
A nice little program has been made by itknowledge24 called UAC Trust Shortcut 1.0. You can download and install it to create shortcuts to programs that then run with elevated rights without the hassle of admin accounts and UAC prompts. You do need DotNet 4.0.
Check auto starting programs
Windows Defender did already a nice job on XP. Monitoring the dangerous places in the registry where viruses can nest. BHO, services, drivers, IE toolbars, HKLM plus HKCU Run(once), Winlogon Shell, AppInet_DLLs, etc.
A good tool to check these locations is HiJackThis or the SysInternals tool AutoRuns.
Can't download exe files with internet explorer or other browser?
When downloading exe files from sites in the zone Internet you will find that these are blocked by default. Even if you use another browser like Chrome it will prevent exe files to be downloaded to disk. This is because the Internet zone security settings have the Smartscreen filter switched on. So Smartscreen determines if the site is listed as safe to download exe files from. Switch Smartscreen filter off in the security settings for the internet zone.
Internet Zones and disable Ad Domains
Ad Domains are known to be unsafe domains. Hackers often hack extra payload into these sites since the spread of these domains is huge. If you have a website you can sell some of the space available on your webpage to Ad Domains so they can show Advertisements for customers.
Another reason why you would block these Ad Domains is that it can take ages to load the website you are interested in, not those Ads.
Some say it is immoral to block them. Yeah, just like those telephone sales and door-to-door sales. Sure. Block them. I don't want it.
In Chrome you have standard (great) solutions like AdBlock. For Internet Explorer there are a few too. But there is a more basic solution.
Internet Explorer knows 5 internet zone types:
0 - your computer
1 - local intranet
2 - trusted sites
3 - internet
4 - restricted sites
For each zone (auto detected) you can specify what is allowed and what is prohibited. You can find that here: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 up to 4
There is however a possibility (from IE4?) to define domain names and define per protocol (http/https/ftp/etc) in what zone that domain belongs.
This is set in the registry here: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\...
Lets block the domain adlink.net. We create a new key there called adlink.net. Under that key we create a dword called * (asterix meaning all protocols). Now comes the trick. We give the value * as data 5, meaning this domain is zone 5. But we don't have a zone 5 defined. The domain will not load at all.
We have blocked that domain.
As from IE8 and more in IE9 you can use trace security to block unwanted domain. For IE8 yoiu need to download and XML file to import. One good example is http://www.quero.at/download/adblock_ie.xml . You might want to set these in the registry so that Inprivate Filtering is default on:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Safety\PrivacIE]
"DisableInPrivateBlocking"=dword:00000000
"StartMode"=dword:00000001
For IE9 it is even easier. Goto Security tracing options and download a adblock list from the iegallery like this one http://www.iegallery.com/nl-nl/trackingprotectionlists .
If you have Avast installed (version 8) you also have an adblock for Chrome, IE and FireFox. Look in C:\Program Files\AVAST Software\Avast\AdBlocker . For Chrome goto chrome://extensions and drag&drop the avast-adblocker-chrome.crx file into Chrome.
For IE install the avast-adblocker-ie.msi.
Block Ad Domains on Chrome and Firefox: uBlock
I used to have Adblock plugin for this. Now I have found a much better one: uBlock. Open source, light, fast and honest.
There is also the uBlock origin for Chrome.
To counter measure AdBlock detection on sites you need to install Anti Adblock Killer on uBlock Origin. This is very easy.
Goto Options of uBlock Origin and select the 3rd-party filters. On the bottom of the page you see the custom block.
Add this line (without !) : https://raw.github.com/reek/anti-adblock-killer/master/anti-adblock-killer-filters.txt
Click Parse and then Apply Changes.
AntiVirus
Windows Defender comes with Windows 7 and 8 and offers pretty good protection (91%). Make sure it is running and updating. I have turned it off though and use Avast Free version 8. If you have installed a good AntiVirus client you don't need Defender anymore.
But I don't use all shields of Avast. Only file, network, behaviour and script shield.
It is free and working pretty good. Sometime a little too good.
Another good free alternative is Avira or even better free BitDefender (Both require DotNet 4).
Recent AntiVirus tests can be found here:
http://chart.av-comparatives.org/chart1.php
or
http://www.av-test.org/en/tests/home-user/windows-7/
I think AntiVirus client are going a little over the top these days. Too much bells and whistles.
Windows Defender, Security Essentials and System Center Endpoint Protection
Windows 7 comes with stripped down Windows Defender. Normal uninstall is not possible. It is no Feature or Package that can be uninstalled with DISM.EXE Unlike the latest version for XP or Windows 8.1 it does only Malware, not Virusses. Microsoft has decided to make Microsoft Security Essentials available for free. It does add Virus scanning and like System Centre Endpoint Protection (SCEP) adds OS patch and network inspection (NIS) scanning. But unlike the XP version it lacks the user interaction and tracing/hooks that the XP version had. As a techie I liked the warnings when some software tried to change my registry or filesystem.
Security Essentials and SCEP are not very different. SCEP can be controlled with policies and alternatively get updates from a network share. All get their updates by WSUS too. Detection Notification is logged into the eventviewer.
In Windows 8 you get Security Essentials preinstalled instead of Defender spyware only version.
The System Center Endpoint Protection 2012 R2 policy templates adml and admx can be downloaded below for use with Group Policies.
admx goes into C:\Windows\PolicyDefinitions and adml into C:\Windows\PolicyDefinitions\en-US.
If you want to update Defender or Security Essentials on Daily basis? Create a Task in the Scheduler that run "MpCmdRun.exe -SignatureUpdate" daily.
Link to latest SCEP 4.10.209.0 (direct from Microsoft). If you cannot install try the /disableoslimit argument.
Protect against ransomware
Ransomware encrypts every file you have access to. That means server shares are encrypted too if you may write there.
The encryption software runs from your computer after you have started the malicious script.
Need to know:
Don't open suspicious mail
As it uses javascript (.js) you need to show file extensions in Windows Explorer
Ransomware is not a virus, it will not spread itself
You have started this chain of encryption yourself by starting a malicious script
If infected shutdown the PC immediately, then remove any network cable or Wifi connection
On windows file server (2003R2 and up) there is a wonderful tool called File Server Resource Manager. It can monitor file creation on the network shares it serves. So what you need to do now is block the creation of ransonware related files (patterns and extensions).
On top of blocking them it will send you an e-mail if it happens live.
You can find some examples here on Microsoft Technet or a how-to here on Altaro website.
An up-to-date pattern extension list can be found here: https://fsrm.experiant.ca/
From CMD you can manage it with FileScrn.exe and from PowerShell with *FsrmFileGroup commands.
I like to add !Recovery_*.* and *.crypt files too.
A command file to immediately deny that domain user on the share, use in the command tab:
@echo off
REM ### This file is used for user blocking if ransomware files
REM ### are detected by the file screen of FSRM.
REM ## In File Screen run command "C:\UserBlock [Source Io Owner] [Source File Path]"
REM ### %1 is arg in form DOMAIN\USER
REM ### we need only last part
Set USER=%1
Set USER=%USER:*\=%
REM ### Check if user exists, else exit
Net.exe user %USER% /domain || Exit /b
REM ### Lock the user (not working since local system is no domain admin)
REM Net.exe user %USER% /active:no /domain
REM Msg.exe * User %USER% is disabled at %time:~,-6%, %date% due to ransomware files %2
REM ### Deny share access for this naughty user
PowerShell.exe "Block-SmbShareAccess -Name DATA -AccountName %1 -Force"
Msg.exe * User %USER% is denied access to DATA share at %time:~,-6%, %date% due to ransomware files %2
For local PC protection you might be interested in CryptoPrevent.
Java
Java is probably on your PC. But you might not even have used it once.
Java is a library and program environment for running Java programs. Much like Dot Net from Microsoft.
But Java is vulnerable. Version 6 was and version 7 still is. Everyone can get infected with viruses and malware via hacked websites that use this leak in Java. Why is it so hard to fix Oracle?
For the time being you can do three things:
1 - remove Java from your PC
2 - disable the Java addon in Internet Explorer (or whatever browser you use)
3 - goto Java settings in Control Paneland disable the local cache of Java applets. Remove any existing.
See my scripting page for examples with cmd script.
To minimize risk always update to the latest version.
Adobe Flash and Reader
These are known Adobe products to be unsecure. As with Java update to the latest versions to minimize the risk.
Download the latest flash plugin for your browser here and the Acrobat Reader from here or ftp.
Alternatively for Acrobat Reader you can also use the even better Foxit Reader.
AppLocker
Windows 7 and 2008 R2 have a feature called AppLocker......
Disable Banner Ads in Skype
http://www.cnet.com/how-to/how-to-disable-ads-in-skype/
Use OpenNic DNS servers
It is good practice to have alternative DNS servers available in your Router configuration. Just to be safe when your ISP is blocking some domains or is not functioning properly due to ddos attacks or whatever. You can always use the 8.8.8.8 DNS server from Google. But that one is logging your DNS requests.
You are better of using the open DNS server from OpenNIC project. They are not logging. Here you find all the info: http://wiki.opennicproject.org/HomePage
Look on the right side of the Homepage to find the DNS servers that are fastest for you. For NL that is 95.85.9.86
Use OpenDNS servers
OpenDNS works the same (now part of Cisco). It has a free Family DNS server that block adult domains. Since Juny 2014 it should also block (some?) ad domains. A server to use is 208.67.222.222